Visualizing Audit Data - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

auditctl -D
No rules
autrace /usr/bin/less /etc/sysconfig/auditd
Waiting to execute: /usr/bin/less
Cleaning up...
No rules
Trace complete. You can locate the records with 'ausearch -i -p 7642'
Always use the full path to the executable to track with autrace. After the trace is
complete, autrace provides the event ID of the trace, so you can analyze the entire data
trail with ausearch. To restore the audit system to use the audit rule set again, just restart
the audit daemon with rcauditd restart.

30.8 Visualizing Audit Data

Neither the data trail in /var/log/audit/audit.log nor the different report
types generated by aureport, described in Section 30.5.2, "Generating Custom Audit
Reports" (page 357), provide an intuitive reading experience to the user. The aureport
output is formatted in columns and thus easily available to any sed, perl, or awk scripts
that users might connect to the audit framework to visualize the audit data.
The visualization scripts (see Section 31.6, "Configuring Log Visualization" (page 380)
are one example of how to use standard Linux tools available with SUSE Linux Enter-
prise Desktop or any other Linux distribution to create easy-to-read audit output. The
following examples help you understand how the plain audit reports can be transformed
into human readable graphics.
The first example illustrates the relationship of programs and system calls. To get to
this kind of data, you need to determine the appropriate aureport command that
delivers the source data from which to generate the final graphic:
aureport -s -i
Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================
1. 16/02/09 17:45:01 open 20343 cron unset 2279
2. 16/02/09 17:45:02 mkdir 20350 mktemp root 2284
368 Security Guide